Skip to main content
HashnodeMithun Dev

Command Palette

Search for a command to run...

Tracing the Digital Footprints - Account Usage

Updated
5 min read
Tracing the Digital Footprints - Account Usage
M
Mithun Dev
Part of seriesWindows Forensics

In the realm of digital forensics, understanding how accounts are used on a Windows system is critical for piecing together incident timelines, identifying unauthorized access, and validating legitimate user actions. Beyond just file and folder interactions, Windows meticulously logs various aspects of account activity, providing a rich evidentiary trail for investigators. This blog post explores key artifacts under the "Account Usage" category, shedding light on their descriptions, locations, and the invaluable insights they offer.

Last Login

The "Last Login" artifact provides a quick snapshot of when local accounts were last accessed.

  • Description: This artifact lists the local accounts of the system and their equivalent security identifiers.

  • Location: The relevant information can be found within the SAM (Security Account Manager) hive, specifically at C:\windows\system32\config\SAM and within the SAM\Domains\Account\Users key.

  • Interpretation: It's important to note that only the last login time will be stored in this registry key.

Last Password Change

Tracking password changes is crucial for understanding account hygiene and potential compromise.

  • Description: This artifact lists the last time the password of a specific local user has been changed.

  • Location: Similar to "Last Login," this information is located within the SAM hive at C:\windows\system32\config\SAM and under the SAM\Domains\Account\Users key.

  • Interpretation: Like last login, only the last password change time will be stored in this registry key.

RDP Usage

Remote Desktop Protocol (RDP) activity is a common vector for unauthorized access, making its forensic artifacts highly significant.

  • Description: "RDP Usage" artifacts track Remote Desktop Protocol logons to target machines.

  • Location: This data is primarily recorded in the Security Log. On Windows 7/8/10 systems, the relevant log file is found at %SYSTEM ROOT%\System32\winevt\logs\Security.evtx.

  • Interpretation:

    • For Windows 7/8/10, Event ID 4778 signifies a Session Connected/Reconnected.

    • Event ID 4779 indicates a Session Disconnected.

    • The event log further provides the hostname and IP address of the remote machine making the connection.

    • Forensically, it's a common observation on workstations that a current console session disconnected (Event ID 4779) is often followed by an RDP connection (Event ID 4778).

Services Events

Services are a frequent target for malware persistence and system manipulation, and their event logs provide critical insights.

  • Description: These events allow investigators to analyze logs for suspicious services running at boot time and to review services started or stopped around the time of a suspected compromise.

  • Location: All relevant Event IDs for services reference the System Log. Specific Event IDs include:

    • 7034: Service crashed unexpectedly.

    • 7035: Service sent a Start/Stop control.

    • 7036: Service started or stopped.

    • 7040: Start type changed (e.g., Boot | On Request | Disabled).

    • 7045: A service was installed on the system (specific to Win2008R2+).

    • 4697: A service was installed on the system (from the Security log).

  • Interpretation:

    • It's important to note that all Event IDs except 4697 reference the System Log.

    • A large amount of malware and worms in the wild utilize Services for various malicious purposes.

    • Services started on boot illustrate persistence, which is a desirable trait for malware.

    • Furthermore, services can crash due to attacks like process injection.

Logon Types

Understanding the "Logon Type" provides granular detail about the method of account authentication.

  • Description: Logon Events provide very specific information regarding the nature of account authorizations on a system. Beyond the date, time, username, hostname, and success/failure status of a logon, they enable investigators to determine exactly by what means a logon was attempted.

  • Location: For Windows 7/8/10, the primary Event ID for logon events is 4624.

  • Interpretation: The "Logon Type" field within these events deciphers the method of logon:

2Logon via console
3Network Logon
4Batch Logon
5Windows Service Logon
7Credentials used to unlock screen
8Network logon sending credentials (cleartext)
9Different credentials used than logged on user
10Remote interactive logon (RDP)
11Cached credentials used to logon
12Cached remote interactive (similar to Type 10)
13Cached unlock (similar to Type 7)

Authentication Events

These events offer insight into the underlying authentication protocols used for account verification.

  • Description: This artifact describes the authentication mechanisms employed on the system.

  • Location: Authentication events are recorded on the system that authenticated the credentials.

    • For local account/workgroup authentication, the events are found on the workstation.

    • For Domain/Active Directory authentication, they are found on the domain controller.

    • On Windows 7/8/10, these events are typically located in the Security Event Log at %SYSTEM ROOT%\System32\winevt\logs\Security.evtx.

  • Interpretation: Specific Event ID Codes help interpret the authentication protocol used:

    • NTLM protocol:

      • 4776: Indicates Successful/Failed account authentication.

    • Kerberos protocol:

      • 4768: Signifies that a Ticket Granting Ticket was granted (successful logon).

      • 4769: Indicates a Service Ticket was requested (access to server resource).

      • 4771: Denotes that Pre-authentication failed (failed logon).

Success/Fail Logons

A fundamental aspect of security analysis, these events directly report the outcome of logon attempts.

  • Description: This artifact allows investigators to determine which accounts have been used for attempted logons and to track account usage for known compromised accounts.

  • Location: On Windows 7/8/10, these events are found within the Security Event Log at %system root%\System32\winevt\logs\Security.evtx.

  • Interpretation: The following Event IDs provide clear indications of logon outcomes on Windows 7/8/10 systems:

    • 4624: Indicates a Successful Logon.

    • 4625: Denotes a Failed Logon.

    • 4634 | 4647: Signify a Successful Logoff.

    • 4648: Represents a Logon using explicit credentials (Runas).

    • 4672: Indicates an Account logon with superuser rights (Administrator).

    • 4720: Shows that An account was created.

By meticulously analyzing these "Account Usage" artifacts, forensic investigators can establish a comprehensive understanding of user and account activities, identify potential security breaches, and piece together the narrative of events that occurred on a Windows system.

Windows Forensics

Part 3 of 8
Up next

Tracing the Digital Footprints - Deleted File or File Knowledge

In digital forensics, recovering and understanding information about deleted files, or even just knowledge of files that existed on a system, is paramount. Whether it's to reconstruct events, identify malicious activity, or recover lost data, Windows...

More from this blog

Mithun Dev

9 posts